b'         Office of Inspector General\n         Report of Audit\n\n\n\n        ACQUISITION MANAGEMENT\n\n\n\n\nCONTRACTOR ACCESS TO CONFIDENTIAL DATA\n\n\n\n\n             E1BMF7-11-0026-8100250\n\n\n\n\n               September 28, 1998\n\x0cInspector General Division\n Conducting the Review:      Headquarters Audit Division\n\nProgram Offices Involved:          Office of Administration and\n                                   Resources Management\n\n                             Office of Acquisition Management\n\x0cMEMORANDUM\n\nSUBJECT:       Contractor Access To Confidential Data\n               Audit Report No. E1BMF7-11-0026-8100250\n\nFROM:          Elissa R. Karpf\n               Deputy Assistant Inspector General\n                for External Audits\n\nTO:            Alvin M. Pesachowitz\n               Acting Assistant Administrator\n                for Administration and Resources Management\n\n        Attached is our final report entitled \xe2\x80\x9cContractor Access to Confidential Data.\xe2\x80\x9d Our\noverall objectives were to determine if EPA: (1) has adequate controls over contractor access to\nconfidential or sensitive data; (2) has routinely considered contractor access to confidential or\nsensitive data when awarding contracts and assigning work; and, (3) personnel were\nknowledgeable about the risks, restrictions, and rules concerning contractor access to confidential\nor sensitive data.\n\nACTION REQUIRED\n\n        A draft audit report was issued to you on July 7, 1998. We consider the planned\ncorrective actions and milestone dates for recommendations 1 and 3, detailed in your response to\nthe draft report, acceptable. Also, based on your comments and current guidelines contained in\nthe Acquisition Handbook, Unit 17, we revised recommendation 2. We understand you agree to\nimplement the revised recommendation based on our discussion with the Director, Office of\nAcquisition Management, at the exit conference held on September 24, 1998. Therefore, we are\nclosing this report in our audit tracking system as of this date. Please track all planned actions\nand milestone dates in the Management Audit Tracking System. We have no objections to the\nfurther release of this report to the public.\n\n        This report describes findings and corrective actions the Office of Inspector General\n(OIG) recommends to help improve and strengthen controls over contractor access to confidential\nor sensitive data. As such, it represents the opinion of the OIG. Final determinations on matters\n\x0cin the report will be made by EPA managers in accordance with established EPA audit resolution\nprocedures. Accordingly, the findings described in this report do not necessarily represent the\nfinal EPA position and are not binding upon EPA in any enforcement proceedings brought by\nEPA or the Department of Justice.\n\n       We would like to thank your staff for their cooperation. Should you or your staff have\nany questions about this report, please contact Norman E. Roth, Divisional Inspector General for\nAudit, Headquarters Audit Division, on (202) 260-5113.\n\n\n\n\n                                               2\n\x0c                                                              Contractor Access To Confidential Data\n\nPURPOSE AND SCOPE\n\n        We performed this audit as a result of the findings from a survey report entitled "Results\nof Survey of EPA\'s Contract Management Initiatives" issued September 1997. That report\nidentified a potential vulnerability related to controls over contractor access to confidential or\nsensitive data. Our objectives were to determine if EPA:\n\n       (1) has adequate controls over contractor access to confidential or sensitive data;\n\n       (2) has routinely considered contractor access to confidential or sensitive data when\n       awarding contracts and assigning work; and\n\n       (3) personnel were knowledgeable about the risks, restrictions, and rules concerning\n       contractor access to confidential or sensitive data.\n\n        We interviewed approximately one hundred contracting officers, contract specialists,\nproject officers, work assignment managers, and delivery order project officers who managed 21\ncontracts. We discussed how they handled confidential or sensitive data. We reviewed the\ncontract and work assignment files for the 21 contracts to determine whether consideration was\ngiven to controlling contractor access to confidential or sensitive data. We also reviewed\nguidance documents to determine the requirements for controlling access to confidential or\nsensitive data. (See Appendix 1 for details on scope and methodology.)\n\nBackground\n\n        EPA obtains and maintains many types of confidential or sensitive data. Because the\nAgency uses contractors extensively, much of this data may be accessed by certain contractors in\nthe normal course of performing their duties. Confidential data includes confidential business\ninformation, and Privacy Act information. Confidential business information includes trade\nsecrets, proprietary, commercial, financial, and other information that is afforded protection from\ndisclosure under certain circumstances as described in the Trade Secrets Act, Federal Acquisition\nRegulation, and Office of Management and Budget Circular A-130. Privacy Act information\napplies to records about individuals.\n\n        Sensitive data includes enforcement-sensitive information, and EPA internal-sensitive\ninformation. Enforcement-sensitive information includes privileged information that, if disclosed,\nwould result in disruption to the legal process, or would reveal enforcement techniques. EPA\ninternal-sensitive information includes information used within the Agency that, if not afforded\nprotection from disclosure, could result in unfair contracting practices, or may adversely affect\nAgency personnel or property.\n\n\n                                                           Report No. EIBMF7-11-0026-8100250\n                                                 3\n\x0c                                                             Contractor Access To Confidential Data\n\nPrior Audit Coverage\n\n       The Office of Inspector General issued a report (Report No. 7400070) on September 30,\n1997, which addressed EPA\xe2\x80\x99s efforts since 1992 to correct longstanding weaknesses in contracts\nmanagement. The report disclosed that the Agency has taken positive steps to address contracts\nmanagement weaknesses, however, potential vulnerabilities remain in three areas, including\ncontractor access to confidential or sensitive data. This specific audit of contractor access to\nconfidential or sensitive data was conducted as a result of our prior findings in Report No.\n7400070.\n\nRESULTS IN BRIEF\n\n        The Agency has a system in place to control contractor access to confidential business\ninformation. However, the system does not adequately address controls over contractor access to\nother equally sensitive data such as enforcement, Privacy Act, or internal-sensitive information.\nIn addition, although contracting officers routinely included various contract clauses that mention\ncontrol of confidential or sensitive data when awarding contracts, program office personnel were\nnot always aware of the contract clauses and did not always consider access to confidential or\nsensitive data when assigning work.\n\n        We issued a draft report on July 7, 1998. We received a response to the draft report from\nthe Office of Administration and Resources Management on August 27, 1998. The Acting\nAdministrator took no exception to the report findings and agreed to implement most of the\nrecommendations in this report. A copy of the response is included as Appendix 2 to this report.\nWe held an exit conference on September 24, 1998.\n\n\nFINDINGS AND RECOMMENDATIONS\n\nThe Agency\xe2\x80\x99s Controls over Contractor Access to Confidential or Sensitive Data Need to be\nImproved\n\n        The Agency has a system in place to control contractor access to confidential business\ninformation. However, the system does not adequately address controls over contractor access to\nother equally sensitive data such as enforcement, Privacy Act, or internal-sensitive information.\nIn addition, program personnel were not always aware of requirements to safeguard against\ncontractor access to confidential or sensitive data.\n\n        The Contracts Management Manual (CMM), Chapter 2 requires, for situations where a\ncontractor has access to confidential or sensitive data, that control measures be established to\nensure that contractors do not have inappropriate access to such data and to ensure systems are in\n\n                                                          Report No. EIBMF7-11-0026-8100250\n                                                4\n\x0c                                                               Contractor Access To Confidential Data\n\nplace to prevent the release of sensitive data to non-designated contractor employees. A\ndiscussion of control measures must be prepared by the Project Officer and approved by the\ncontracting office prior to issuance of the solicitation. CMM, Chapter 1, requires contract\nmanagement plans for certain contracts. One of the requirements of the plan is to identify key\nvulnerabilities inherent in the contract and provide a description of the provisions for dealing with\nthem. Confidential business information was identified as a key vulnerability. In addition, the\nCMM provides that project officers, work assignment managers, and delivery order project\nofficers are responsible for monitoring all the activities of the contractor. This guidance\nspecifically identifies and requires the safeguarding of confidential business information.\n\n        The contracting office routinely includes various contract clauses dealing with control\nover confidential business information in the contract. These clauses may prevent improper\ncontractor access to confidential business information, if followed. However, as detailed later in\nthe report, program office personnel were not always aware of the contract clauses and did not\nalways consider access to confidential or sensitive data when assigning work. The clauses can not\nserve their purpose of safeguarding confidential or sensitive data if they are not properly\nimplemented.\n\n        Contract management plans were required and established for seven of the 21 contracts\nwe reviewed. Each of the seven plans included provisions for dealing with confidential business\ninformation. Some of the provisions included contract clauses identifying special requirements,\nestablishing reviews of work assignments, establishing security plans, and requiring contractors to\nobtain confidentiality agreements from their personnel. Although the remaining 14 contracts did\nnot require a contract management plan, they included clauses requiring protection of confidential\nbusiness information. Contracting Officers told us that these clauses are routinely included in the\ncontract as a precaution. However, the program offices were not always aware of these\nconfidential business information provisions.\n\n       We found that Cincinnati-Contracts Management Division (CMD) had good controls over\ncontractor access to confidential business information. Before approving work assignments,\nCMD officials reviewed each work assignment for potential access to confidential business\ninformation. If the potential for release existed, CMD officials verified that the release was\nauthorized in the contract. If the release was not approved in the contract, the work assignment\nwas rejected. CMD officials also ensured that EPA and contractor personnel had confidential\nbusiness information clearances before approving work assignments involving access to the\ninformation.\n\n       A good control was also established in a Headquarters contract involving the Integrated\nContracts Management System. This system contains very sensitive data such as overhead rates\nand proposal data for all EPA contracts. The contractor that manages the system has access to\ncompetitors\xe2\x80\x99 rates and other data that could be beneficial for future contract bids and other\n\n                                                            Report No. EIBMF7-11-0026-8100250\n                                                  5\n\x0c                                                                Contractor Access To Confidential Data\n\nprocurement actions. Headquarters contract officials recently took action to both limit the extent\nof system access and reduce the number of contractor personnel with access to the system. These\nactions were appropriate and should be considered in similar situations.\n\n        Program offices and contracting divisions each play an important role in making sure that\ncontractor access to confidential or sensitive data is properly controlled. Program offices have the\nprimary role in controlling access because they are the personnel who work directly with the\ncontractor and are responsible for ensuring confidential or sensitive data is not released to\nunauthorized contractor personnel. Contracting officials\xe2\x80\x99 roles are also key in providing oversight\nof the legal aspects of contract execution. Controlling contractor access to confidential or\nsensitive data is a shared responsibility between the program office and the contracting divisions.\nProgram offices should work with contracting officers to ensure they are knowledgeable about\ncontract clauses and necessary procedures to control contractor\xe2\x80\x99s access to confidential or\nsensitive data. Contracting officials should place the same emphasis on contractor access to other\nsensitive data, such as enforcement, Privacy Act, or internal sensitive data, as they do for\nconfidential business information.\n\nEPA Routinely Considers Access To Sensitive Data Issues When Awarding Contracts But Not\nAlways When Assigning Work.\n\n        When awarding contracts, contracting officers routinely included various contract clauses\nthat mention control of confidential or sensitive data. These clauses include provisions for\nscreening business information for claims of confidentiality, conducting background searches and\nobtaining clearance documents on contractor personnel who have access to confidential or\nsensitive data, and releasing contractor confidential business information. However, program\noffice personnel were not always aware of the contract clauses and did not always consider access\nto confidential or sensitive data when assigning work. In addition, program office personnel did\nnot always know if work assignments or delivery orders required contractors to access\nconfidential or sensitive data.\n\n         For nine of the 21 contracts we reviewed, project officers, work assignment managers,\nand delivery order project officers had conflicting opinions on whether a contract involved\nconfidential or sensitive data. For example, six project officers told us that none of the work\nassignments or delivery orders for their contracts required access to confidential or sensitive data.\nOn the other hand, work assignment managers and delivery order project officers for these same\ncontracts told us that the work assignments or delivery orders did require the contractor to have\naccess to confidential or sensitive data. For another contract, the project officer said that all eight\nwork assignments for the contract involved access to confidential or sensitive data. However, one\nwork assignment manager said that none of her work assignments involved confidential or\nsensitive data.\n\n\n                                                             Report No. EIBMF7-11-0026-8100250\n                                                  6\n\x0c                                                               Contractor Access To Confidential Data\n\n        As a result, confidential or sensitive data released to contractors was not always\ncontrolled. For example, in Region 10, we visited a contractor\'s office and found two of five files\nthat contained sensitive documents. According to both the contracting officer and contractor,\nthese documents were provided with the work assignment. However, none of the work\nassignment managers were aware that the documents contained sensitive data and or that the\ncontractor had access to it.\n\n        One contract specialist suggested that a person be designated as a point of contact to\naddress any questions or concerns regarding confidential or sensitive data. Agency program\noffices have document control officers who are basically responsible for controlling confidential\nbusiness information for their respective programs. However, these officers do not deal with\nPrivacy Act data, enforcement sensitive, or internal sensitive. With proper training, the document\ncontrol officers could serve as points of contact to address questions concerning contractor access\nto confidential or sensitive data.\n\n       To properly protect and safeguard confidential or sensitive data, program office personnel\nshould be able to recognize and agree on work assignments and delivery orders that involve\ncontractor access to confidential or sensitive data. Confidential or sensitive data that is\ninadequately safeguarded or improperly disclosed could adversely affect Agency personnel and\nproperty or result in a contractor having a competitive advantage in the procurement process.\n\nProgram Office Personnel Need Training About the Risks and Rules Concerning Contractor\nAccess to Confidential or Sensitive Data\n\n        One of the goals of our interviews was to determine if EPA personnel were\nknowledgeable about the risks, restrictions, and rules concerning contractor access to confidential\nor sensitive data. Four of the 19 project officers and 21 of 54 work assignment managers and\ndelivery order project officers were not familiar with or aware of any procedures to control\ncontractor access to confidential or sensitive data. This lack of knowledge can result in\nunauthorized contractor personnel having access to sensitive data. In addition, it may place the\nAgency, as well as employees involved in allowing the contractor access, at risk for civil litigation\nand even criminal penalties.\n\n        The Contract Management Manual provides that it is EPA policy that all individuals\nserving as contracting officers, project officers, work assignment managers, and delivery order\nproject officers fully understand their responsibilities and duties. This understanding is to be\ndeveloped through training and actual work experience. During our interviews, 9 of 19 project\nofficers and 24 of 54 other program office personnel stated they had not received specific training\nregarding contractor access to confidential or sensitive data. Some of these individuals indicated\nthey did not fully understand the risk, restrictions and rules regarding contractor access to\nconfidential or sensitive data. Training for program personnel is important since, generally, these\n\n                                                            Report No. EIBMF7-11-0026-8100250\n                                                  7\n\x0c                                                              Contractor Access To Confidential Data\n\nindividuals have technical backgrounds and would not necessarily be knowledgeable of Federal\nand EPA procurement regulations. In addition, program personnel are responsible for assigning\nwork to the contractor and are more aware of the specific tasks to be performed.\n\n        Most program office personnel had taken the required contract courses. However,\nprogram personnel told us that the courses do not adequately address the issue of contractor\naccess to confidential or sensitive data. They stated that the courses contain some information\nregarding confidential business information, the other areas such as Privacy Act information,\nenforcement sensitive, and internal sensitive information, were not addressed at all. Subsequent\nto the audit, the Office of Acquisition Management informed us that the current training\ncurriculum already addresses the need for protecting against the unauthorized release of CBI,\nprocurement sensitive information, and Privacy Act information. The instructors for the contract\ntraining courses will continue to stress the importance of maintaining protective custody of this\ninformation.\n\n\nRECOMMENDATIONS\n\n      We recommend the Acting Assistant Administrator for Administration and Resources\nManagement in coordination with other appropriate senior Agency managers:\n\n 1.    Issue a directive that contracting officers and the program office (PO/WAM) work\n       together to review their contracts to determine if the contract involves contractor access\n       to confidential or sensitive data and ensure necessary safeguards are in place to control\n       contractor access to such data.\n\n 2.    Emphasize the evaluation of security over all types of confidential or sensitive data during\n       the quality assurance reviews completed under the Contracting Officer/Project Office\n       Contract Monitoring Program.\n\n 3.    Revise the Contracts Management Manual to include clear definitions of confidential\n       business, enforcement sensitive, and Privacy Act information. Include a specific\n       requirement to address contractor access to each one in the contract management plan.\n\n\nAGENCY RESPONSE AND OIG EVALUATION\n\n        The Acting Assistant Administrator for Administration and Resources Management took\nno exceptions to the report findings, and agreed to implement corrective actions for two of the\nthree recommendations above. The planned corrective actions include issuing a directive to\naddress recommendation 1, and revising the Contracts Management Manual to address\n\n                                                           Report No. EIBMF7-11-0026-8100250\n                                                8\n\x0c                                                               Contractor Access To Confidential Data\n\nrecommendation 3. The Acting Assistant Administrator did not concur with recommendation 2,\nbut indicated that Acquisition Management Review (AMR) teams would continue to ensure that\nconfidential business information clauses are included in EPA contracts whenever appropriate.\nWe modified recommendation 2 to indicate that security over all types of confidential or sensitive\ndata should be evaluated during quality assurance reviews completed under the Contracting\nOfficer/Project Office Contract Monitoring Program. This recommendation is supported by\ncurrent guidelines contained in the Acquisition Handbook, Unit 17. At the exit conference the\nDirector, Office of Acquisition Management, stated that they plan to implement the revised\nrecommendation.\n\n         The Acting Assistant Administrator also did not concur with a fourth recommendation\nthat we included in the draft report. We recommended that a module to address contractor access\nto confidential or sensitive data be included in Agency contract training courses. He believed that\nthis issue is adequately addressed in currently available training text. However, instructors for the\ncontract courses will be reminded to stress the importance of maintaining protective custody of\nconfidential or sensitive data, and remind contracting/project officers of this issue in the directive\nto be issued for recommendation 1. The Agency\xe2\x80\x99s actions should adequately address this issue,\ntherefore, we eliminated recommendation 4 from the final report.\n\n       The entire response is included as Appendix 2 to this report.\n\n\n\n\n                                                            Report No. EIBMF7-11-0026-8100250\n                                                  9\n\x0c                                 Contractor Access To Confidential Data\n\n\n\n\n(This page was intentionally left blank.)\n\n\n\n\n                              Report No. EIBMF7-11-0026-8100250\n                   10\n\x0c                                                   Contractor Access To Confidential Data\n\n                                                                               Exhibit 1\n\n                     Contracts Selected for Review\n\nContract Number                            Program Office\n   68-W6-0069      Office of Prevention, Pesticides, and Toxic Substances\n   68-W5-0058      Office of Administration and Resources Management\n   68-W5-0024      Agencywide1\n   68-W1-0055      Office of Administration and Resources Management\n   68-W3-0003      Office of Administration and Resources Management\n   68-W4-0030      Office of Solid Waste and Emergency Response\n   68-W4-0040      Office of Solid Waste and Emergency Response\n   68-C5-0039      Office of Research and Development\n   68-C4-0007      Office of Water\n   68-C4-0024      Office of Water\n   68-D6-0014      Office of the Administrator/Deputy Administrator\n   68-W2-0025      Office of Administration and Resources Management\n   68-S5-3002      Office of Solid Waste and Emergency Response\n   68-W4-0010      Office of Solid Waste and Emergency Response\n   68-W8-0084      Office of Administration and Resources Management\n   68-W6-0012      Office of Solid Waste and Emergency Response\n   68-W4-0021      Office of Solid Waste and Emergency Response\n   68-W9-0059      Office of Administration and Resources Management\n   68-W9-0060      Office of Solid Waste and Emergency Response\n   68-W9-0046      Office of Solid Waste and Emergency Response\n   68-W4-0014      Office of Solid Waste and Emergency Response\n\n\n\n\n1\n Contract provides records management services for the Agency.\n                                                Report No. EIBMF7-11-0026-8100250\n                                       11\n\x0c                                Contractor Access To Confidential Data\n\n\n\n\n(This page was intentionally left blank.)\n\n\n\n\n                             Report No. EIBMF7-11-0026-8100250\n                   12\n\x0c                                                              Contractor Access To Confidential Data\n\n                                                                                         Appendix 1\n                                                                                         Page 1 of 2\n\n                         DETAILED SCOPE AND METHODOLOGY\n\n       We concentrated on contracts active in fiscal years 1996 and 1997. We selected and\nreviewed a sample of 21 contracts from the universe of approximately 200 which are similar to\ncontracts that the Northern Audit Division (NAD) identified in its survey (EPA Report No.\n7400070). The contract universe was classified in four categories: confidential business\ninformation; Privacy Act information; Enforcement Sensitive information; and internal-sensitive\ninformation. Our sample was selected to ensure that all four categories were represented.\n\n         During the survey of EPA Contract Management Initiatives, NAD reviewed several\ncontract issues. NAD determined the Agency did not maintain a centralized listing of Agency\ncontracts where a contractor may have access to confidential or sensitive data. The Acting\nInspector General and the Acting Assistant Administrator for Administration and Resources\nManagement, sent a joint letter to all the Agency\xe2\x80\x99s Senior Resource Officials (SRO) requesting\nthem to identify contracts that may involve confidential or sensitive data. The SROs response to\nthe letter identified about 200 contracts Agencywide. We used this universe as the basis for our\naudit.\n\n        We interviewed approximately one hundred contracting officers, contract specialists,\nproject officers, work assignment managers, and delivery order project officers who managed the\nsampled contracts to determine how they handled confidential/sensitive data. We reviewed the\ncontract and work assignment files to determine whether consideration was given to contractor\naccess and to determine if EPA has a system in place to ensure all access to confidential or\nsensitive data is properly monitored and controlled.\n\n        We conducted our field work at EPA Headquarters; Regions 3, 5, 7, 9 and 10; and offices\nin Cincinnati, OH and Research Triangle Park, NC. We reviewed 54 work assignments, delivery\norders, and technical direction documents that were issued under the 21 contracts. These 21\ncontracts had a total value of almost $1.5 billion with an average value of over $71 million for each\nindividual contract.\n\n        We also contacted and met with employees from the Department of Energy (DOE) and\nNational Aeronautics and Space Administration (NASA) to determine how they handled\ncontractor access to sensitive data. Both of these Agencies operate very similar to how EPA\noperates its contract administration. We did not obtain any additional information that could\nbenefit EPA. Thus we did not make any recommendations based on our contacts with DOE and\nNASA.\n\n\n                                                           Report No. EIBMF7-11-0026-8100250\n                                                 13\n\x0c                                                         Contractor Access To Confidential Data\n\n                                                                                   Appendix 1\n                                                                                   Page 2 of 2\n\n       We performed this audit in accordance with 1994 Government Auditing Standards issued\nby the Comptroller General of the United States. We conducted fieldwork from September 1997\nto March 1998.\n\n\n\n\n                                                      Report No. EIBMF7-11-0026-8100250\n                                             14\n\x0c                                                                       Contractor Access To Confidential Data\n                                                                                                    Appendix 2\n                                                                                                    Page 1 of 2\n\n\n\n\nMEMORANDUM\n\nSUBJECT:         Contractor Access To Confidential Data\n                 Draft Audit Report No. E1BMF7-11-0026\n\nFROM:            Alvin M. Peasachowitz2\n                 Acting Assistant Administrator\n                 Office of Administration and Resources Management\n\nTO:              Elissa R. Karpf\n                 Deputy Assistant Inspector General\n                 For Acquisition and Assistance Audits\n\n        Thank you for the opportunity to provide comments on the above report.\n\n       We take no exceptions to the findings and our response to the OIG recommendations are discussed\nbelow by subject in the order of appearance in the report.\n\n        If you have any questions or comments, please call me at 260-4600, or have your staff call Betty L.\nBailey, Director, Office of Acquisition Management, at 564-4310.\n\nOIG: Recommend the Acting Assistant Administrator for Administration and Resources Management\nin coordination with other appropriate senior Agency managers:\n\nRecommendation 1: Issue a directive that contracting officers and the program office (PO/WAM)work\ntogether to review their contracts to determine if the contract involves contractor access to confidential or\nsensitive data and ensure necessary safeguards are in place to control contractor access to such data.\n\nOARM Response: We concur with this recommendation. OAM will issue a memo from the Director,\nOffice of Acquisition Management, to contracting officers (COs) and program office representatives,\nrequesting that they review and determine if their contracts involves contractor access to confidential or\nsensitive data. If so, the parties will take the appropriate steps to ensure that necessary safeguards are in\nplace to control contractor access to such data. We will issue this memo by August 31, 1998.\n\n\n\n          2\n          This is an electronic file of the management response memorandum which was signed by\n Alvin M. Pesachowitz on August 27, 1998.\n                                                                    Report No. EIBMF7-11-0026-8100250\n                                                       15\n\x0c                                                                      Contractor Access To Confidential Data\n                                                                                                Appendix 2\n                                                                                                 Page 2 of 2\n\nRecommendation 2: As part of the Acquisition Management Reviews, review contacts to ensure only\nauthorized contractor personnel have access to confidential or sensitive data and that the clauses are being\nenforced.\n\nOARM Response: We do not concur with this recommendation. The primary focus of an Acquisition\nManagement Reviews (AMR) is to evaluate the practices of a contracting activity within EPA. As part of this\nprocess, contracts are reviewed to ensure that appropriate clauses have been included, and contracts, are\nmanaged properly. This does not include the review of a contractor\xe2\x80\x99s organization or its compliance with\nrequired clauses. We consider this the responsibility of each CO, and should be a normal contract\nmanagement function. However, the AMR teams will continue to ensure that confidential business information\n(CBI) clauses are included in EPA contracts, whenever appropriate.\n\nRecommendation 3: Revise the Contracts Management Manual to include clear definitions of confidential\nbusiness, enforcement sensitive, and Privacy Act information. Include a specific requirement to address\ncontractor access to each one in the contract management plan.\n\nOARM Response: We concur with this recommendation. We will revise the Contracts Management Manual\n(CMM) to include clear definitions of CBI, enforcement sensitive, and Privacy Act information. This revision\nwill include a specific requirement to address contractor access to each type of data in the contract management\nplan. We estimate it will take 6 to 9 months to complete this, as a CMM revision requires an Agency-wide\nGreen Border review.\n\nRecommendation 4: Include in the Agency\xe2\x80\x99s contract training courses, a module that addresses all the types of\nconfidential or sensitive data and agency personnel responsibilities regarding contractor access to such data.\nRequire this training for all POs, WAMs, and DOPOs. Consider providing similar training to all document\ncontrol officers.\n\nOARM Response: We do not concur with this recommendation. Within the current OARM training\ncurriculum, we already address the need for protecting against the unauthorized release of CBI, procurement\nsensitive information, and Privacy Act information. We will continue to stress the importance of maintaining\nprotective custody of this information. These topics are specifically addressed in the Acquisition Training for\nProject Officers course and text (sections\n5.12 and 5.13), and the Contract Administration course/text (pages 133, 142, 471, and 480-481). These\ncourses are mandatory training classes for project officers, delivery order project officers, and contracting\nofficer representatives.\n\nWe do not believe that OAM should be responsible for providing training on specific program sensitive\ninformation. The program offices possess the technical knowledge necessary to identify sensitive\nprogrammatic information, and are knowledgeable of specific technical issues concerning contractor access to\nsensitive data. As such, they are in a better position to craft individual training modules addressing problems\nspecific to each of the Agency\xe2\x80\x99s technical program offices. We will remind our contracting and project officer\nof this issue in the memo referenced in our response to Recommendation 1 above.\n\n\n                                                                   Report No. EIBMF7-11-0026-8100250\n                                                       16\n\x0c                                                           Contractor Access To Confidential Data\n\n                                                                                     Appendix 3\n\n                                     Report Distribution\n\nOffice of Inspector General\n\nActing Inspector General\n\nHeadquarters Office\n\nAssistant Administrators\n\nDirector, Office of Acquisition Management (3801R)\n\nDirector, Contracts Management Division-Research Triangle Park\n\nDirector, Contracts Management Division-Cincinnati\n\nSpecial Assistant to Director, Office of Acquisition Management (3801R)\n\nAudit Coordinator, Office of Acquisition Management (3802R)\n\nAgency Followup Official (2710)\n\nAudit Coordinator, Office of Administration and Resources Management (3102)\n\nAgency Follow-up Coordinator (2724)\n\nDirector, Office of Policy and Resources Management (3102)\n\nRegional Offices\n\nRegional Administrators\n\n\n\n\n                                                        Report No. EIBMF7-11-0026-8100250\n                                              17\n\x0c'